Mattermost Server vulnerabilities

CVE-2019-20876 [MEDIUM] CVE-2019-20876: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deact An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy.

CVE-2019-20873 [MEDIUM] CVE-2019-20873: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attac An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information during user activation/deactivation.

CVE-2019-20860 [MEDIUM] CVE-2019-20860: An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows rem An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of service (application hang) via a crafted SVG document.

CVE-2017-18872 [MEDIUM] CWE-732 CVE-2017-18872: An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.

CVE-2017-18893 [MEDIUM] CWE-79 CVE-2017-18893: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.

CVE-2018-21252 [MEDIUM] CWE-732 CVE-2018-21252: An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could u An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups.

CVE-2017-18897 [MEDIUM] CWE-601 CVE-2017-18897: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.

CVE-2017-18887 [MEDIUM] CWE-200 CVE-2017-18887: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team c An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.

CVE-2016-11065 [MEDIUM] CWE-732 CVE-2016-11065: An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket featu An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.

CVE-2017-18905 [MEDIUM] CWE-613 CVE-2017-18905: An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.

CVE-2017-18916 [MEDIUM] CWE-732 CVE-2017-18916: An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access con An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.

CVE-2017-18914 [MEDIUM] CWE-754 CVE-2017-18914: An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can oc An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist.

CVE-2018-21250 [MEDIUM] CWE-400 CVE-2018-21250: An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attac An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions.

CVE-2016-11080 [MEDIUM] CWE-732 CVE-2016-11080: An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Adm An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.

CVE-2020-14460 [MEDIUM] CVE-2020-14460: An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creat An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does not always require admin privileges, aka MMSA-2020-0001.

CVE-2016-11084 [MEDIUM] CWE-352 CVE-2016-11084: An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF. An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.

CVE-2016-11067 [MEDIUM] CWE-20 CVE-2016-11067: An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.

CVE-2016-11079 [MEDIUM] CWE-79 CVE-2016-11079: An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL. An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.

CVE-2016-11071 [MEDIUM] CWE-79 CVE-2016-11071: An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.

CVE-2017-18902 [MEDIUM] CWE-200 CVE-2017-18902: An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.